Salesforce’s Notice of Certification Under 
the Data Privacy Framework 


Effective as of July 26, 2023 


For all Services (except those Services listed as out of scope below) Salesforce and our U.S. 
subsidiaries Demandware, LLC, Heroku, Inc., Krux Digital LLC, Mulesoft, LLC, Quip LLC, 
Salesforce, Inc., Slack Technologies, LLC, and Tableau Software, LLC, comply with the EU-U.S. 
Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework, and the 
Swiss-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework”) as set forth by 
the U.S. Department of Commerce regarding the collection, use, and retention of personal data 
transferred from the European Union, United Kingdom, and Switzerland, as applicable, to the 
United States in reliance on the Data Privacy Framework. Salesforce has certified to the 
Department of Commerce that it adheres to the Data Privacy Framework Principles with respect to 
such data. If there is any conflict between the terms in this notice and the Data Privacy Framework 
Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data 
Privacy Framework program, and to view our certification, please visit 


https://www.dataprivacyframework.gov/s/. 


Out of Scope (not covered by the Data Privacy Framework): Philanthropy Cloud. 


Data processed: Salesforce provides online tools that our customers use to communicate and 
operate aspects of their businesses. These include tools for customer relationship management, 
customer service, social engagement, community building, data analytics, internal employee 
management, communications and file management, and platforms for building websites and 
applications, among others. In providing these tools, Salesforce processes data our customers 
submit to our services or instruct us to process on their behalves. While Salesforce’s customers 
decide what data to submit, it typically includes information about their customers, sales leads, 
prospects, employees, and users of online tools, such as contact information, purchases, and 
billing information. 


Purposes of data processing: Salesforce processes data submitted by customers for the 
purpose of providing Salesforce’s online services to our customers. To fulfill these purposes, 
Salesforce may access the data to provide the services, to correct and address technical or 
service problems, to respond to customer support matters, or to follow instructions of the 
Salesforce customer who submitted the data, or in response to contractual requirements. 


Inquiries and complaints: If you believe Salesforce maintains your personal data in one of the 
services within the scope of our Data Privacy Framework certification, you may direct any 
inquiries or complaints concerning our Data Privacy Framework compliance to 
privacy@salesforce.com. Salesforce will respond within 45 days. If you have an unresolved 
privacy or data use concern that we have not addressed satisfactorily, please contact our 
U.S.-based third party dispute resolution provider (free of charge) at 
https://feedback-form.truste.com/watchdog/request. If neither Salesforce nor our dispute 
resolution provider resolves your complaint, you may have the possibility to engage in binding 
arbitration through the Data Privacy Framework Panel. For more information on this option, 
please see Annex | of the EU-U.S. Data Privacy Framework Principles. 


Third parties who may receive personal data: Salesforce uses a limited number of third-party 
service providers to assist us in providing our services to customers. These third party providers 
offer customer support to our customers, perform database monitoring and other technical 
operations, assist with the transmission of data, and provide data storage services. These third 
parties may access, process, or store personal data in the course of providing their services. 
Salesforce maintains contracts with these third parties restricting their access, use and disclosure 
of personal data in compliance with our Data Privacy Framework obligations, including the 
onward transfer provisions, and Salesforce remains liable if they fail to meet those obligations 
and we are responsible for the event giving rise to damage. 


Your rights to access, to limit use, and to limit disclosure: EU, UK, and Swiss individuals 
have rights to access personal data about them, and to limit use and disclosure of their personal 
data. With our Data Privacy Framework self-certification, Salesforce has committed to respect 
those rights. Because Salesforce personnel have limited ability to access data our customers 
submit to our services, if you wish to request access, to limit use, or to limit disclosure, please 
provide the name of the Salesforce customer who submitted your data to our services. We will 
refer your request to that customer, and will support them as needed in responding to your 
request. 


U.S. Federal Trade Commission enforcement: Salesforce’s commitments under the Data 
Privacy Framework are subject to the investigatory and enforcement powers of the United 
States Federal Trade Commission. 


Compelled disclosure: Salesforce may be required to disclose personal information in response 
to lawful requests by public authorities, including to meet national security or law enforcement 
requirements. 


